GDPR: The final countdown

GDPR is all but here—is your business ready?

The General Data Protection Regulation (GDPR), due to be implemented on 25 May, is transformative, giving EU member states up-to-date, uniform data protection rules that are fit for the digital age, while prizing the individual’s right to privacy above almost everything else.

“Put simply, the old data protection model was no longer fit for purpose,” says Darren Gower, marketing director at Eclipse Legal Systems. “GDPR aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that’s vastly different from two decades ago.”

The focus of GDPR is the individual, as Gower explains: “They have extended rights, free of charge, to be able to check what data is being processed by an organisation and if that processing is lawful.”

“Consent is changing for the better—consent to process data is only now obtainable through clear and accurate explanations about what data is being collected, why, where it will be used, shared or stored, and for how long. It’s a positive opt in where the individual clearly understands what they’re consenting to.”

GDPR applies to everyone, from the biggest businesses to one-man bands. Law firms in Yorkshire are no exception, and in the rush to compliance, some might have put off their own programmes.

In November 2017, “there was a distinct lack of preparation” among UK law firms for GDPR, says Gower.

“Only 25% at that stage thought they were currently compliant. According to the Law Society, as at 20 February 2018, that still seems to be the case.”

“May is sneaking up on us fast, and firms that haven’t started their compliance project face a number of challenges. Some of the most important areas to address are data protection policies, risk management and information security management. I feel there has been a ‘millennium bug’ view on GDPR, that is, firms thinking, ‘it will all be fine and just blow over’. That’s a scary approach: GDPR is coming, it has real teeth, and carries heavy financial penalties for non-compliance. It needs to be taken extremely seriously.”

Matthew Hattersley, partner and head of the commercial and IT team at Clarion, says: “Law firms have, on the whole, been very good at providing a service on GDPR to their customers. However, their own GDPR compliance has inevitably taken a backseat, given that it’s an internal, non-chargeable activity.”

But, as Hattersley points out, law firms in Yorkshire that are helping clients with GDPR have had some good practice. “It’s exactly the same procedures; we’re no different from any other business.”

Law firms are “very rich sources of personal data”, says Hattersley, and “should be taking GDPR extremely seriously”.

“Speaking to other people in other law firms, particularly those below the national level, GDPR is very much a second thought rather than a first thought. We’ve been working hard at Clarion to achieve GDPR compliance, but it is taking a considerable amount of time. We’ll be compliant by 25 May, but we’ll be in a privileged position, because a lot of law firms won’t have organised themselves in time.”

Emma Roe, partner and head of commercial at Shulmans, agrees that GDPR isn’t getting the attention that it deserves. She says: “GDPR seems to be going into the ‘too hard’ pile for some people, which I think is a shame as I suspect most law firms have been sufficiently compliant in their data handling to date to mean that the upgrade to GDPR compliance isn’t too big a leap.”

Know your foe

Those law firms that are yet to crack GDPR should first grasp the personal data that they have within their businesses.

“The data mapping exercise is the foundation for any GDPR compliance programme,” says Hattersley. “Until you know what data you’ve got, you won’t know what actions you’ve got to take.”

“From our experience of doing this data mapping exercise, we found a lot of day-to-day issues, such as replicated Excel spreadsheets. One of our first activities was removing duplicate copies of marketing lists that had been saved on individual computers and hard drives, for example, due to analysis ahead of attending an event. So they were doing it for the right reasons, but undermining GDPR compliance.”

“It’s been a really helpful exercise in reminding us about a lot of our data protection obligations. And it made us more ready for GDPR. So, as a first step, make sure you’ve mapped your data.”

Marketing and consent, as Gower pointed out, are hot topics in GDPR compliance. Hattersley says: “The general provisions around what you can and can’t do around personal data are quite restrictive in many ways. I think those that manage marketing databases more proactively, and look to use the different grounds on which you might market, will be successful in those marketing activities. This is because you might easily cause your database to become valueless, if you don’t manage it properly.”

Hattersley adds: “The ePrivacy Regulation, set to come in at the same time as GDPR, also places restrictions on electronic marketing. Those restrictions work in combination with GDPR to control the type and amount of marketing you’re allowed to do. Organisations have to think carefully about this and come up with a strategy that they can document, so that they can explain why they are marketing the way they are.”

On consent, Roe explains: “One significant area of change under the GDPR is to the existing condition for processing of ‘consent’. I’ve heard a lot of rubbish being talked about consent, including someone advising marketing teams that the condition of ‘legitimate interest’ can be used to justify all law firm marketing activities without the need for reliance on consent. I’m afraid this kind of advice is downright misleading. Legitimate interest may be of use as a condition for direct marketing, but it’s a balancing exercise to be done against the data subject’s rights. It simply isn’t as black and white an issue as just saying everything will be fine if you rely on that.”

She adds: “Like most organisations, the best place to start is an understanding of what types of personal data are currently held by the law firm in question, what processing is done with it and how is it kept secure.”

“The most significant question is: which condition for lawful processing is currently being relied upon in relation to each form of data processing. The majority of the conditions for lawful processing have actually stayed the same under GDPR so, again, understanding which conditions remain in place and which are being relied upon forms the bedrock of achieving compliance under the new landscape.”

Gower says law firms should conduct an honest assessment and identification of current compliance gaps.

He says: “Workflows, processes and procedures need to be revisited to identify problem areas and potential non-compliance. In addition, a review of all existing contracts with suppliers will ascertain if they are handling personal data. For example, if using a cloud-based case management system, would—in the instance of a data breach—the supplier notify the law firm quickly so the 72-hour breach notification timebox could be complied with?”

The referee’s decision

Much has been written about GDPR’s penalty provisions. Set at fines of up to €20 million or 4% of worldwide turnover, whichever is higher, it’s worth noting the vast difference to what’s currently leviable—a maximum fine of £500,000. Despite the significant hike, law firms should remember that the Information Commissioner’s Office (ICO) “is there to regulate data protection, not issue fines”, says Hattersley.

Gower urges caution, however. He says: “Who wants to be the first to test this? You need to be very brave, or blissfully ignorant, to think that financial penalties will not be levied. The maximum penalties are so large they could destroy businesses, and let’s not forget the negative PR impact that will accompany such an outcome.”

Roe says of the potential penalties under GDPR: “It’s fair to say, these penalties do represent a major change in potential exposure in technical terms and so can’t be ignored. However, in my experience, the ICO, as the regulator of data protection in the UK for the last 20 years, focuses very much on seeking to educate and work with organisations who are trying to get things right, rather than rushing to fine for any and all breaches.”

“For them, it is the organisations with a clear cultural and, often, long-standing or repeated disregard for personal data that get the real impact of their fining powers. I don’t expect that approach to change dramatically, even if the figures might rise a little in due course.”

Roe adds: “I don’t expect the ICO to be rushing to impose fines on organisations they’ve never had reason to have on their radar before come 25 May 2018. However, it is worth bearing in mind that we’ve had a two-year transition period from when GDPR first came into force in May 2016.”

“So, I suspect there will be limited patience from the ICO when they first start engaging with organisations who haven’t got into a compliant position. Likewise, I can’t imagine the ICO giving much leeway to law firms who don’t get this particular area of compliance right first time.”

The legal sectors is Leeds, wider Yorkshire and across the country are serving clients at varying stages of GDPR compliance. Their legal advisers and counsel are best placed to do so, of course, but they must also heed their own advice here, because GDPR will be transformative in the way that data is handled and protected, elevating the digital privacy rights of individuals in Europe for the first time.

The clock is ticking for you to map your data, get your marketing databases under control, and engage with the ICO and experts in and around your firm, because 25 May is almost here.

This article originally appeared in issue 151 of Leeds & Yorkshire Lawyer